From 6552b0c02d23b39e4364be3cda5e0a2eb6a306c9 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Wed, 9 Aug 2023 00:55:30 +0200
Subject: hotspot-to-wpa: convert to template, split capsman & wifiwave2

---
 doc/hotspot-to-wpa.md                |  34 ++++++++---
 hotspot-to-wpa-cleanup.capsman.rsc   |  68 ++++++++++++++++++++++
 hotspot-to-wpa-cleanup.rsc           |  65 +--------------------
 hotspot-to-wpa-cleanup.template.rsc  |  75 ++++++++++++++++++++++++
 hotspot-to-wpa-cleanup.wifiwave2.rsc |  68 ++++++++++++++++++++++
 hotspot-to-wpa.capsman.rsc           |  89 ++++++++++++++++++++++++++++
 hotspot-to-wpa.rsc                   |  86 +--------------------------
 hotspot-to-wpa.template.rsc          | 110 +++++++++++++++++++++++++++++++++++
 hotspot-to-wpa.wifiwave2.rsc         |  86 +++++++++++++++++++++++++++
 9 files changed, 523 insertions(+), 158 deletions(-)
 create mode 100644 hotspot-to-wpa-cleanup.capsman.rsc
 create mode 100644 hotspot-to-wpa-cleanup.template.rsc
 create mode 100644 hotspot-to-wpa-cleanup.wifiwave2.rsc
 create mode 100644 hotspot-to-wpa.capsman.rsc
 create mode 100644 hotspot-to-wpa.template.rsc
 create mode 100644 hotspot-to-wpa.wifiwave2.rsc

diff --git a/doc/hotspot-to-wpa.md b/doc/hotspot-to-wpa.md
index 2630694..4909eef 100644
--- a/doc/hotspot-to-wpa.md
+++ b/doc/hotspot-to-wpa.md
@@ -19,24 +19,35 @@ Requirements and installation
 You need a properly configured hotspot on one (open) SSID and a WP2 enabled
 SSID with suffix "`-wpa`".
 
-Then install the script:
+Then install the script. Depending on whether you use `wifiwave2` package
+(`/interface/wifiwave2`) or legacy wifi with CAPsMAN (`/caps-man`) you need
+to install a different script and set it as `on-login` script in hotspot.
 
-    $ScriptInstallUpdate hotspot-to-wpa;
+For `wifiwave2`:
 
-Configure your hotspot to use this script as `on-login` script:
+    $ScriptInstallUpdate hotspot-to-wpa.wifiwave2;
+    /ip/hotspot/user/profile/set on-login="hotspot-to-wpa.wifiwave2" [ find ];
 
-    /ip/hotspot/user/profile/set on-login=hotspot-to-wpa [ find ];
+For legacy CAPsMAN:
+
+    $ScriptInstallUpdate hotspot-to-wpa.capsman;
+    /ip/hotspot/user/profile/set on-login="hotspot-to-wpa.capsman" [ find ];
 
 ### Automatic cleanup
 
 With just `hotspot-to-wpa` installed the mac addresses will last in the
-access list forever. Install the optional script for automatic cleanup:
+access list forever. Install the optional script for automatic cleanup
+and add a scheduler.
+
+For `wifiwave2`:
 
-    $ScriptInstallUpdate hotspot-to-wpa-cleanup,lease-script;
+    $ScriptInstallUpdate hotspot-to-wpa-cleanup.wifiwave2,lease-script;
+    /system/scheduler/add interval=1d name=hotspot-to-wpa-cleanup on-event="/system/script/run hotspot-to-wpa-cleanup.wifiwave2;" start-time=startup;
 
-Create a scheduler:
+For legacy CAPsMAN:
 
-    /system/scheduler/add interval=1d name=hotspot-to-wpa-cleanup on-event="/system/script/run hotspot-to-wpa-cleanup;" start-time=startup;
+    $ScriptInstallUpdate hotspot-to-wpa-cleanup.capsman,lease-script;
+    /system/scheduler/add interval=1d name=hotspot-to-wpa-cleanup on-event="/system/script/run hotspot-to-wpa-cleanup.capsman;" start-time=startup;
 
 And add the lease script and matcher comment to your wpa interfaces' dhcp
 server. You can add more information to the comment, separated by comma. In
@@ -74,7 +85,12 @@ Additionally templates can be created to give more options for access list:
 * `vlan-id`: connect device to specific VLAN
 * `vlan-mode`: set the VLAN mode for device
 
-For a hotspot called `example` the template could look like this:
+For a hotspot called `example` the template could look like this. For
+`wifiwave2`:
+
+    /interface/wifiwave2/access-list/add comment="hotspot-to-wpa template example" disabled=yes private-passphrase="ignore" ssid-regexp="^example\$" vlan-id=10;
+
+For legacy CAPsMAN:
 
     /caps-man/access-list/add comment="hotspot-to-wpa template example" disabled=yes private-passphrase="ignore" ssid-regexp="^example\$" vlan-id=10 vlan-mode=use-tag;
 
diff --git a/hotspot-to-wpa-cleanup.capsman.rsc b/hotspot-to-wpa-cleanup.capsman.rsc
new file mode 100644
index 0000000..5bded2c
--- /dev/null
+++ b/hotspot-to-wpa-cleanup.capsman.rsc
@@ -0,0 +1,68 @@
+#!rsc by RouterOS
+# RouterOS script: hotspot-to-wpa-cleanup.capsman
+# Copyright (c) 2021-2023 Christian Hesse <mail@eworm.de>
+# https://git.eworm.de/cgit/routeros-scripts/about/COPYING.md
+#
+# provides: lease-script, order=80
+#
+# manage and clean up private WPA passphrase after hotspot login
+# https://git.eworm.de/cgit/routeros-scripts/about/doc/hotspot-to-wpa.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:local 0 "hotspot-to-wpa-cleanup.capsman";
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:global EitherOr;
+:global LogPrintExit2;
+:global ParseKeyValueStore;
+:global ScriptLock;
+
+$ScriptLock $0 false 10;
+
+:local DHCPServers ({});
+:foreach Server in=[ /ip/dhcp-server/find where comment~"hotspot-to-wpa" ] do={
+  :local ServerVal [ /ip/dhcp-server/get $Server ]
+  :local ServerInfo [ $ParseKeyValueStore ($ServerVal->"comment") ];
+  :if (($ServerInfo->"hotspot-to-wpa") = "wpa") do={
+    :set ($DHCPServers->($ServerVal->"name")) \
+      [ :totime [ $EitherOr ($ServerInfo->"timeout") 4w ] ];
+  }
+}
+
+:foreach Client in=[ /caps-man/registration-table/find where comment~"^hotspot-to-wpa:" ] do={
+  :local ClientVal [ /caps-man/registration-table/get $Client ];
+  :foreach Lease in=[ /ip/dhcp-server/lease/find where dynamic \
+      mac-address=($ClientVal->"mac-address") ] do={
+    :if (($DHCPServers->[ /ip/dhcp-server/lease/get $Lease server ]) > 0s) do={
+      $LogPrintExit2 info $0 ("Client with mac address " . ($ClientVal->"mac-address") . \
+        " connected to WPA, making lease static.") false;
+      /ip/dhcp-server/lease/make-static $Lease;
+      /ip/dhcp-server/lease/set comment=($ClientVal->"comment") $Lease;
+    }
+  }
+}
+
+:foreach Client in=[ /caps-man/access-list/find where comment~"^hotspot-to-wpa:" \
+    !(comment~[ /system/clock/get date ]) ] do={
+  :local ClientVal [ /caps-man/access-list/get $Client ];
+  :if ([ :len [ /ip/dhcp-server/lease/find where !dynamic comment~"^hotspot-to-wpa:" \
+       mac-address=($ClientVal->"mac-address") ] ] = 0) do={
+    $LogPrintExit2 info $0 ("Client with mac address " . ($ClientVal->"mac-address") . \
+      " did not connect to WPA, removing from access list.") false;
+    /caps-man/access-list/remove $Client;
+  }
+}
+
+:foreach Server,Timeout in=$DHCPServers do={
+  :foreach Lease in=[ /ip/dhcp-server/lease/find where !dynamic status="waiting" \
+      server=$Server last-seen>$Timeout comment~"^hotspot-to-wpa:" ] do={
+    :local LeaseVal [ /ip/dhcp-server/lease/get $Lease ];
+    $LogPrintExit2 info $0 ("Client with mac address " . ($LeaseVal->"mac-address") . \
+      " was not seen for " . $Timeout . ", removing.") false;
+    /caps-man/access-list/remove [ find where comment~"^hotspot-to-wpa:" \
+      mac-address=($LeaseVal->"mac-address") ];
+    /ip/dhcp-server/lease/remove $Lease;
+  }
+}
diff --git a/hotspot-to-wpa-cleanup.rsc b/hotspot-to-wpa-cleanup.rsc
index adb0abb..2da00ca 100644
--- a/hotspot-to-wpa-cleanup.rsc
+++ b/hotspot-to-wpa-cleanup.rsc
@@ -1,66 +1,3 @@
 #!rsc by RouterOS
-# RouterOS script: hotspot-to-wpa-cleanup
-# Copyright (c) 2021-2023 Christian Hesse <mail@eworm.de>
-# https://git.eworm.de/cgit/routeros-scripts/about/COPYING.md
 #
-# provides: lease-script, order=80
-#
-# manage and clean up private WPA passphrase after hotspot login
-# https://git.eworm.de/cgit/routeros-scripts/about/doc/hotspot-to-wpa.md
-
-:local 0 "hotspot-to-wpa-cleanup";
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:global EitherOr;
-:global LogPrintExit2;
-:global ParseKeyValueStore;
-:global ScriptLock;
-
-$ScriptLock $0 false 10;
-
-:local DHCPServers ({});
-:foreach Server in=[ /ip/dhcp-server/find where comment~"hotspot-to-wpa" ] do={
-  :local ServerVal [ /ip/dhcp-server/get $Server ]
-  :local ServerInfo [ $ParseKeyValueStore ($ServerVal->"comment") ];
-  :if (($ServerInfo->"hotspot-to-wpa") = "wpa") do={
-    :set ($DHCPServers->($ServerVal->"name")) \
-      [ :totime [ $EitherOr ($ServerInfo->"timeout") 4w ] ];
-  }
-}
-
-:foreach Client in=[ /caps-man/registration-table/find where comment~"^hotspot-to-wpa:" ] do={
-  :local ClientVal [ /caps-man/registration-table/get $Client ];
-  :foreach Lease in=[ /ip/dhcp-server/lease/find where dynamic \
-      mac-address=($ClientVal->"mac-address") ] do={
-    :if (($DHCPServers->[ /ip/dhcp-server/lease/get $Lease server ]) > 0s) do={
-      $LogPrintExit2 info $0 ("Client with mac address " . ($ClientVal->"mac-address") . \
-        " connected to WPA, making lease static.") false;
-      /ip/dhcp-server/lease/make-static $Lease;
-      /ip/dhcp-server/lease/set comment=($ClientVal->"comment") $Lease;
-    }
-  }
-}
-
-:foreach Client in=[ /caps-man/access-list/find where comment~"^hotspot-to-wpa:" \
-    !(comment~[ /system/clock/get date ]) ] do={
-  :local ClientVal [ /caps-man/access-list/get $Client ];
-  :if ([ :len [ /ip/dhcp-server/lease/find where !dynamic comment~"^hotspot-to-wpa:" \
-       mac-address=($ClientVal->"mac-address") ] ] = 0) do={
-    $LogPrintExit2 info $0 ("Client with mac address " . ($ClientVal->"mac-address") . \
-      " did not connect to WPA, removing from access list.") false;
-    /caps-man/access-list/remove $Client;
-  }
-}
-
-:foreach Server,Timeout in=$DHCPServers do={
-  :foreach Lease in=[ /ip/dhcp-server/lease/find where !dynamic status="waiting" \
-      server=$Server last-seen>$Timeout comment~"^hotspot-to-wpa:" ] do={
-    :local LeaseVal [ /ip/dhcp-server/lease/get $Lease ];
-    $LogPrintExit2 info $0 ("Client with mac address " . ($LeaseVal->"mac-address") . \
-      " was not seen for " . $Timeout . ", removing.") false;
-    /caps-man/access-list/remove [ find where comment~"^hotspot-to-wpa:" \
-      mac-address=($LeaseVal->"mac-address") ];
-    /ip/dhcp-server/lease/remove $Lease;
-  }
-}
+# dummy for migration
diff --git a/hotspot-to-wpa-cleanup.template.rsc b/hotspot-to-wpa-cleanup.template.rsc
new file mode 100644
index 0000000..38313d9
--- /dev/null
+++ b/hotspot-to-wpa-cleanup.template.rsc
@@ -0,0 +1,75 @@
+#!rsc by RouterOS
+# RouterOS script: hotspot-to-wpa-cleanup%TEMPL%
+# Copyright (c) 2021-2023 Christian Hesse <mail@eworm.de>
+# https://git.eworm.de/cgit/routeros-scripts/about/COPYING.md
+#
+# provides: lease-script, order=80
+#
+# manage and clean up private WPA passphrase after hotspot login
+# https://git.eworm.de/cgit/routeros-scripts/about/doc/hotspot-to-wpa.md
+#
+# !! This is just a template to generate the real script!
+# !! Pattern '%TEMPL%' is replaced, paths are filtered.
+
+:local 0 "hotspot-to-wpa-cleanup%TEMPL%";
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:global EitherOr;
+:global LogPrintExit2;
+:global ParseKeyValueStore;
+:global ScriptLock;
+
+$ScriptLock $0 false 10;
+
+:local DHCPServers ({});
+:foreach Server in=[ /ip/dhcp-server/find where comment~"hotspot-to-wpa" ] do={
+  :local ServerVal [ /ip/dhcp-server/get $Server ]
+  :local ServerInfo [ $ParseKeyValueStore ($ServerVal->"comment") ];
+  :if (($ServerInfo->"hotspot-to-wpa") = "wpa") do={
+    :set ($DHCPServers->($ServerVal->"name")) \
+      [ :totime [ $EitherOr ($ServerInfo->"timeout") 4w ] ];
+  }
+}
+
+:foreach Client in=[ /caps-man/registration-table/find where comment~"^hotspot-to-wpa:" ] do={
+:foreach Client in=[ /interface/wifiwave2/registration-table/find where comment~"^hotspot-to-wpa:" ] do={
+  :local ClientVal [ /caps-man/registration-table/get $Client ];
+  :local ClientVal [ /interface/wifiwave2/registration-table/get $Client ];
+  :foreach Lease in=[ /ip/dhcp-server/lease/find where dynamic \
+      mac-address=($ClientVal->"mac-address") ] do={
+    :if (($DHCPServers->[ /ip/dhcp-server/lease/get $Lease server ]) > 0s) do={
+      $LogPrintExit2 info $0 ("Client with mac address " . ($ClientVal->"mac-address") . \
+        " connected to WPA, making lease static.") false;
+      /ip/dhcp-server/lease/make-static $Lease;
+      /ip/dhcp-server/lease/set comment=($ClientVal->"comment") $Lease;
+    }
+  }
+}
+
+:foreach Client in=[ /caps-man/access-list/find where comment~"^hotspot-to-wpa:" \
+:foreach Client in=[ /interface/wifiwave2/access-list/find where comment~"^hotspot-to-wpa:" \
+    !(comment~[ /system/clock/get date ]) ] do={
+  :local ClientVal [ /caps-man/access-list/get $Client ];
+  :local ClientVal [ /interface/wifiwave2/access-list/get $Client ];
+  :if ([ :len [ /ip/dhcp-server/lease/find where !dynamic comment~"^hotspot-to-wpa:" \
+       mac-address=($ClientVal->"mac-address") ] ] = 0) do={
+    $LogPrintExit2 info $0 ("Client with mac address " . ($ClientVal->"mac-address") . \
+      " did not connect to WPA, removing from access list.") false;
+    /caps-man/access-list/remove $Client;
+    /interface/wifiwave2/access-list/remove $Client;
+  }
+}
+
+:foreach Server,Timeout in=$DHCPServers do={
+  :foreach Lease in=[ /ip/dhcp-server/lease/find where !dynamic status="waiting" \
+      server=$Server last-seen>$Timeout comment~"^hotspot-to-wpa:" ] do={
+    :local LeaseVal [ /ip/dhcp-server/lease/get $Lease ];
+    $LogPrintExit2 info $0 ("Client with mac address " . ($LeaseVal->"mac-address") . \
+      " was not seen for " . $Timeout . ", removing.") false;
+    /caps-man/access-list/remove [ find where comment~"^hotspot-to-wpa:" \
+    /interface/wifiwave2/access-list/remove [ find where comment~"^hotspot-to-wpa:" \
+      mac-address=($LeaseVal->"mac-address") ];
+    /ip/dhcp-server/lease/remove $Lease;
+  }
+}
diff --git a/hotspot-to-wpa-cleanup.wifiwave2.rsc b/hotspot-to-wpa-cleanup.wifiwave2.rsc
new file mode 100644
index 0000000..a8ba34c
--- /dev/null
+++ b/hotspot-to-wpa-cleanup.wifiwave2.rsc
@@ -0,0 +1,68 @@
+#!rsc by RouterOS
+# RouterOS script: hotspot-to-wpa-cleanup.wifiwave2
+# Copyright (c) 2021-2023 Christian Hesse <mail@eworm.de>
+# https://git.eworm.de/cgit/routeros-scripts/about/COPYING.md
+#
+# provides: lease-script, order=80
+#
+# manage and clean up private WPA passphrase after hotspot login
+# https://git.eworm.de/cgit/routeros-scripts/about/doc/hotspot-to-wpa.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:local 0 "hotspot-to-wpa-cleanup.wifiwave2";
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:global EitherOr;
+:global LogPrintExit2;
+:global ParseKeyValueStore;
+:global ScriptLock;
+
+$ScriptLock $0 false 10;
+
+:local DHCPServers ({});
+:foreach Server in=[ /ip/dhcp-server/find where comment~"hotspot-to-wpa" ] do={
+  :local ServerVal [ /ip/dhcp-server/get $Server ]
+  :local ServerInfo [ $ParseKeyValueStore ($ServerVal->"comment") ];
+  :if (($ServerInfo->"hotspot-to-wpa") = "wpa") do={
+    :set ($DHCPServers->($ServerVal->"name")) \
+      [ :totime [ $EitherOr ($ServerInfo->"timeout") 4w ] ];
+  }
+}
+
+:foreach Client in=[ /interface/wifiwave2/registration-table/find where comment~"^hotspot-to-wpa:" ] do={
+  :local ClientVal [ /interface/wifiwave2/registration-table/get $Client ];
+  :foreach Lease in=[ /ip/dhcp-server/lease/find where dynamic \
+      mac-address=($ClientVal->"mac-address") ] do={
+    :if (($DHCPServers->[ /ip/dhcp-server/lease/get $Lease server ]) > 0s) do={
+      $LogPrintExit2 info $0 ("Client with mac address " . ($ClientVal->"mac-address") . \
+        " connected to WPA, making lease static.") false;
+      /ip/dhcp-server/lease/make-static $Lease;
+      /ip/dhcp-server/lease/set comment=($ClientVal->"comment") $Lease;
+    }
+  }
+}
+
+:foreach Client in=[ /interface/wifiwave2/access-list/find where comment~"^hotspot-to-wpa:" \
+    !(comment~[ /system/clock/get date ]) ] do={
+  :local ClientVal [ /interface/wifiwave2/access-list/get $Client ];
+  :if ([ :len [ /ip/dhcp-server/lease/find where !dynamic comment~"^hotspot-to-wpa:" \
+       mac-address=($ClientVal->"mac-address") ] ] = 0) do={
+    $LogPrintExit2 info $0 ("Client with mac address " . ($ClientVal->"mac-address") . \
+      " did not connect to WPA, removing from access list.") false;
+    /interface/wifiwave2/access-list/remove $Client;
+  }
+}
+
+:foreach Server,Timeout in=$DHCPServers do={
+  :foreach Lease in=[ /ip/dhcp-server/lease/find where !dynamic status="waiting" \
+      server=$Server last-seen>$Timeout comment~"^hotspot-to-wpa:" ] do={
+    :local LeaseVal [ /ip/dhcp-server/lease/get $Lease ];
+    $LogPrintExit2 info $0 ("Client with mac address " . ($LeaseVal->"mac-address") . \
+      " was not seen for " . $Timeout . ", removing.") false;
+    /interface/wifiwave2/access-list/remove [ find where comment~"^hotspot-to-wpa:" \
+      mac-address=($LeaseVal->"mac-address") ];
+    /ip/dhcp-server/lease/remove $Lease;
+  }
+}
diff --git a/hotspot-to-wpa.capsman.rsc b/hotspot-to-wpa.capsman.rsc
new file mode 100644
index 0000000..a7ebafb
--- /dev/null
+++ b/hotspot-to-wpa.capsman.rsc
@@ -0,0 +1,89 @@
+#!rsc by RouterOS
+# RouterOS script: hotspot-to-wpa.capsman
+# Copyright (c) 2019-2023 Christian Hesse <mail@eworm.de>
+# https://git.eworm.de/cgit/routeros-scripts/about/COPYING.md
+#
+# add private WPA passphrase after hotspot login
+# https://git.eworm.de/cgit/routeros-scripts/about/doc/hotspot-to-wpa.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:local 0 "hotspot-to-wpa.capsman";
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:global EitherOr;
+:global LogPrintExit2;
+:global ParseKeyValueStore;
+:global ScriptLock;
+
+$ScriptLock $0;
+
+:local MacAddress $"mac-address";
+:local UserName $username;
+
+:if ([ :typeof $MacAddress ] = "nothing" || [ :typeof $UserName ] = "nothing") do={
+  $LogPrintExit2 error $0 ("This script is supposed to run from hotspot on login.") true;
+}
+
+:local Date [ /system/clock/get date ];
+:local UserVal ({});
+:if ([ :len [ /ip/hotspot/user/find where name=$UserName ] ] > 0) do={
+  :set UserVal [ /ip/hotspot/user/get [ find where name=$UserName ] ];
+}
+:local UserInfo [ $ParseKeyValueStore ($UserVal->"comment") ];
+:local Hotspot [ /ip/hotspot/host/get [ find where mac-address=$MacAddress authorized ] server ];
+
+:if ([ :len [ /caps-man/access-list/find where comment="--- hotspot-to-wpa above ---" disabled ] ] = 0) do={
+  /caps-man/access-list/add comment="--- hotspot-to-wpa above ---" disabled=yes;
+  $LogPrintExit2 warning $0 ("Added disabled access-list entry with comment '--- hotspot-to-wpa above ---'.") false;
+}
+:local PlaceBefore ([ /caps-man/access-list/find where comment="--- hotspot-to-wpa above ---" disabled ]->0);
+
+:if ([ :len [ /caps-man/access-list/find where \
+    comment=("hotspot-to-wpa template " . $Hotspot) disabled ] ] = 0) do={
+  /caps-man/access-list/add comment=("hotspot-to-wpa template " . $Hotspot) disabled=yes place-before=$PlaceBefore;
+  $LogPrintExit2 warning $0 ("Added template in access-list for hotspot '" . $Hotspot . "'.") false;
+}
+:local Template [ /caps-man/access-list/get ([ find where \
+    comment=("hotspot-to-wpa template " . $Hotspot) disabled ]->0) ];
+
+:if ($Template->"action" = "reject") do={
+  $LogPrintExit2 info $0 ("Ignoring login for hotspot '" . $Hotspot . "'.") true;
+}
+
+# allow login page to load
+:delay 1s;
+
+$LogPrintExit2 info $0 ("Adding/updating access-list entry for mac address " . $MacAddress . \
+  " (user " . $UserName . ").") false;
+/caps-man/access-list/remove [ find where mac-address=$MacAddress comment~"^hotspot-to-wpa: " ];
+/caps-man/access-list/add private-passphrase=($UserVal->"password") ssid-regexp="-wpa\$" \
+    mac-address=$MacAddress comment=("hotspot-to-wpa: " . $UserName . ", " . $MacAddress . ", " . $Date) \
+    action=reject place-before=$PlaceBefore;
+
+:local Entry [ /caps-man/access-list/find where mac-address=$MacAddress \
+    comment=("hotspot-to-wpa: " . $UserName . ", " . $MacAddress . ", " . $Date) ];
+:local PrivatePassphrase [ $EitherOr ($UserInfo->"private-passphrase") ($Template->"private-passphrase") ];
+:if ([ :len $PrivatePassphrase ] > 0) do={
+  :if ($PrivatePassphrase = "ignore") do={
+    /caps-man/access-list/set $Entry !private-passphrase;
+  } else={
+    /caps-man/access-list/set $Entry private-passphrase=$PrivatePassphrase;
+  }
+}
+:local SsidRegexp [ $EitherOr ($UserInfo->"ssid-regexp") ($Template->"ssid-regexp") ];
+:if ([ :len $SsidRegexp ] > 0) do={
+  /caps-man/access-list/set $Entry ssid-regexp=$SsidRegexp;
+}
+:local VlanId [ $EitherOr ($UserInfo->"vlan-id") ($Template->"vlan-id") ];
+:if ([ :len $VlanId ] > 0) do={
+  /caps-man/access-list/set $Entry vlan-id=$VlanId;
+}
+:local VlanMode [ $EitherOr ($UserInfo->"vlan-mode") ($Template->"vlan-mode") ];
+:if ([ :len $VlanMode] > 0) do={
+  /caps-man/access-list/set $Entry vlan-mode=$VlanMode;
+}
+
+:delay 2s;
+/caps-man/access-list/set $Entry action=accept;
diff --git a/hotspot-to-wpa.rsc b/hotspot-to-wpa.rsc
index 35d4fa5..2da00ca 100644
--- a/hotspot-to-wpa.rsc
+++ b/hotspot-to-wpa.rsc
@@ -1,87 +1,3 @@
 #!rsc by RouterOS
-# RouterOS script: hotspot-to-wpa
-# Copyright (c) 2019-2023 Christian Hesse <mail@eworm.de>
-# https://git.eworm.de/cgit/routeros-scripts/about/COPYING.md
 #
-# add private WPA passphrase after hotspot login
-# https://git.eworm.de/cgit/routeros-scripts/about/doc/hotspot-to-wpa.md
-
-:local 0 "hotspot-to-wpa";
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:global EitherOr;
-:global LogPrintExit2;
-:global ParseKeyValueStore;
-:global ScriptLock;
-
-$ScriptLock $0;
-
-:local MacAddress $"mac-address";
-:local UserName $username;
-
-:if ([ :typeof $MacAddress ] = "nothing" || [ :typeof $UserName ] = "nothing") do={
-  $LogPrintExit2 error $0 ("This script is supposed to run from hotspot on login.") true;
-}
-
-:local Date [ /system/clock/get date ];
-:local UserVal ({});
-:if ([ :len [ /ip/hotspot/user/find where name=$UserName ] ] > 0) do={
-  :set UserVal [ /ip/hotspot/user/get [ find where name=$UserName ] ];
-}
-:local UserInfo [ $ParseKeyValueStore ($UserVal->"comment") ];
-:local Hotspot [ /ip/hotspot/host/get [ find where mac-address=$MacAddress authorized ] server ];
-
-:if ([ :len [ /caps-man/access-list/find where comment="--- hotspot-to-wpa above ---" disabled ] ] = 0) do={
-  /caps-man/access-list/add comment="--- hotspot-to-wpa above ---" disabled=yes;
-  $LogPrintExit2 warning $0 ("Added disabled access-list entry with comment '--- hotspot-to-wpa above ---'.") false;
-}
-:local PlaceBefore ([ /caps-man/access-list/find where comment="--- hotspot-to-wpa above ---" disabled ]->0);
-
-:if ([ :len [ /caps-man/access-list/find where \
-    comment=("hotspot-to-wpa template " . $Hotspot) disabled ] ] = 0) do={
-  /caps-man/access-list/add comment=("hotspot-to-wpa template " . $Hotspot) disabled=yes place-before=$PlaceBefore;
-  $LogPrintExit2 warning $0 ("Added template in access-list for hotspot '" . $Hotspot . "'.") false;
-}
-:local Template [ /caps-man/access-list/get ([ find where \
-    comment=("hotspot-to-wpa template " . $Hotspot) disabled ]->0) ];
-
-:if ($Template->"action" = "reject") do={
-  $LogPrintExit2 info $0 ("Ignoring login for hotspot '" . $Hotspot . "'.") true;
-}
-
-# allow login page to load
-:delay 1s;
-
-$LogPrintExit2 info $0 ("Adding/updating access-list entry for mac address " . $MacAddress . \
-  " (user " . $UserName . ").") false;
-/caps-man/access-list/remove [ find where mac-address=$MacAddress comment~"^hotspot-to-wpa: " ];
-/caps-man/access-list/add comment=("hotspot-to-wpa: " . $UserName . ", " . $MacAddress . ", " . $Date) \
-    mac-address=$MacAddress private-passphrase=($UserVal->"password") ssid-regexp="-wpa\$" \
-    action=reject place-before=$PlaceBefore;
-
-:local Entry [ /caps-man/access-list/find where mac-address=$MacAddress \
-    comment=("hotspot-to-wpa: " . $UserName . ", " . $MacAddress . ", " . $Date) ];
-:local PrivatePassphrase [ $EitherOr ($UserInfo->"private-passphrase") ($Template->"private-passphrase") ];
-:if ([ :len $PrivatePassphrase ] > 0) do={
-  :if ($PrivatePassphrase = "ignore") do={
-    /caps-man/access-list/set $Entry !private-passphrase;
-  } else={
-    /caps-man/access-list/set $Entry private-passphrase=$PrivatePassphrase;
-  }
-}
-:local SsidRegexp [ $EitherOr ($UserInfo->"ssid-regexp") ($Template->"ssid-regexp") ];
-:if ([ :len $SsidRegexp ] > 0) do={
-  /caps-man/access-list/set $Entry ssid-regexp=$SsidRegexp;
-}
-:local VlanId [ $EitherOr ($UserInfo->"vlan-id") ($Template->"vlan-id") ];
-:if ([ :len $VlanId ] > 0) do={
-  /caps-man/access-list/set $Entry vlan-id=$VlanId;
-}
-:local VlanMode [ $EitherOr ($UserInfo->"vlan-mode") ($Template->"vlan-mode") ];
-:if ([ :len $VlanMode] > 0) do={
-  /caps-man/access-list/set $Entry vlan-mode=$VlanMode;
-}
-
-:delay 2s;
-/caps-man/access-list/set $Entry action=accept;
+# dummy for migration
diff --git a/hotspot-to-wpa.template.rsc b/hotspot-to-wpa.template.rsc
new file mode 100644
index 0000000..f465722
--- /dev/null
+++ b/hotspot-to-wpa.template.rsc
@@ -0,0 +1,110 @@
+#!rsc by RouterOS
+# RouterOS script: hotspot-to-wpa%TEMPL%
+# Copyright (c) 2019-2023 Christian Hesse <mail@eworm.de>
+# https://git.eworm.de/cgit/routeros-scripts/about/COPYING.md
+#
+# add private WPA passphrase after hotspot login
+# https://git.eworm.de/cgit/routeros-scripts/about/doc/hotspot-to-wpa.md
+#
+# !! This is just a template to generate the real script!
+# !! Pattern '%TEMPL%' is replaced, paths are filtered.
+
+:local 0 "hotspot-to-wpa%TEMPL%";
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:global EitherOr;
+:global LogPrintExit2;
+:global ParseKeyValueStore;
+:global ScriptLock;
+
+$ScriptLock $0;
+
+:local MacAddress $"mac-address";
+:local UserName $username;
+
+:if ([ :typeof $MacAddress ] = "nothing" || [ :typeof $UserName ] = "nothing") do={
+  $LogPrintExit2 error $0 ("This script is supposed to run from hotspot on login.") true;
+}
+
+:local Date [ /system/clock/get date ];
+:local UserVal ({});
+:if ([ :len [ /ip/hotspot/user/find where name=$UserName ] ] > 0) do={
+  :set UserVal [ /ip/hotspot/user/get [ find where name=$UserName ] ];
+}
+:local UserInfo [ $ParseKeyValueStore ($UserVal->"comment") ];
+:local Hotspot [ /ip/hotspot/host/get [ find where mac-address=$MacAddress authorized ] server ];
+
+:if ([ :len [ /caps-man/access-list/find where comment="--- hotspot-to-wpa above ---" disabled ] ] = 0) do={
+:if ([ :len [ /interface/wifiwave2/access-list/find where comment="--- hotspot-to-wpa above ---" disabled ] ] = 0) do={
+  /caps-man/access-list/add comment="--- hotspot-to-wpa above ---" disabled=yes;
+  /interface/wifiwave2/access-list/add comment="--- hotspot-to-wpa above ---" disabled=yes;
+  $LogPrintExit2 warning $0 ("Added disabled access-list entry with comment '--- hotspot-to-wpa above ---'.") false;
+}
+:local PlaceBefore ([ /caps-man/access-list/find where comment="--- hotspot-to-wpa above ---" disabled ]->0);
+:local PlaceBefore ([ /interface/wifiwave2/access-list/find where comment="--- hotspot-to-wpa above ---" disabled ]->0);
+
+:if ([ :len [ /caps-man/access-list/find where \
+:if ([ :len [ /interface/wifiwave2/access-list/find where \
+    comment=("hotspot-to-wpa template " . $Hotspot) disabled ] ] = 0) do={
+  /caps-man/access-list/add comment=("hotspot-to-wpa template " . $Hotspot) disabled=yes place-before=$PlaceBefore;
+  /interface/wifiwave2/access-list/add comment=("hotspot-to-wpa template " . $Hotspot) disabled=yes place-before=$PlaceBefore;
+  $LogPrintExit2 warning $0 ("Added template in access-list for hotspot '" . $Hotspot . "'.") false;
+}
+:local Template [ /caps-man/access-list/get ([ find where \
+:local Template [ /interface/wifiwave2/access-list/get ([ find where \
+    comment=("hotspot-to-wpa template " . $Hotspot) disabled ]->0) ];
+
+:if ($Template->"action" = "reject") do={
+  $LogPrintExit2 info $0 ("Ignoring login for hotspot '" . $Hotspot . "'.") true;
+}
+
+# allow login page to load
+:delay 1s;
+
+$LogPrintExit2 info $0 ("Adding/updating access-list entry for mac address " . $MacAddress . \
+  " (user " . $UserName . ").") false;
+/caps-man/access-list/remove [ find where mac-address=$MacAddress comment~"^hotspot-to-wpa: " ];
+/interface/wifiwave2/access-list/remove [ find where mac-address=$MacAddress comment~"^hotspot-to-wpa: " ];
+/caps-man/access-list/add private-passphrase=($UserVal->"password") ssid-regexp="-wpa\$" \
+/interface/wifiwave2/access-list/add passphrase=($UserVal->"password") ssid-regexp="-wpa\$" \
+    mac-address=$MacAddress comment=("hotspot-to-wpa: " . $UserName . ", " . $MacAddress . ", " . $Date) \
+    action=reject place-before=$PlaceBefore;
+
+:local Entry [ /caps-man/access-list/find where mac-address=$MacAddress \
+:local Entry [ /interface/wifiwave2/access-list/find where mac-address=$MacAddress \
+    comment=("hotspot-to-wpa: " . $UserName . ", " . $MacAddress . ", " . $Date) ];
+# NOT /caps-man #
+:set ($Template->"private-passphrase") ($Template->"passphrase");
+# NOT /caps-man #
+:local PrivatePassphrase [ $EitherOr ($UserInfo->"private-passphrase") ($Template->"private-passphrase") ];
+:if ([ :len $PrivatePassphrase ] > 0) do={
+  :if ($PrivatePassphrase = "ignore") do={
+    /caps-man/access-list/set $Entry !private-passphrase;
+    /interface/wifiwave2/access-list/set $Entry !passphrase;
+  } else={
+    /caps-man/access-list/set $Entry private-passphrase=$PrivatePassphrase;
+    /interface/wifiwave2/access-list/set $Entry passphrase=$PrivatePassphrase;
+  }
+}
+:local SsidRegexp [ $EitherOr ($UserInfo->"ssid-regexp") ($Template->"ssid-regexp") ];
+:if ([ :len $SsidRegexp ] > 0) do={
+  /caps-man/access-list/set $Entry ssid-regexp=$SsidRegexp;
+  /interface/wifiwave2/access-list/set $Entry ssid-regexp=$SsidRegexp;
+}
+:local VlanId [ $EitherOr ($UserInfo->"vlan-id") ($Template->"vlan-id") ];
+:if ([ :len $VlanId ] > 0) do={
+  /caps-man/access-list/set $Entry vlan-id=$VlanId;
+  /interface/wifiwave2/access-list/set $Entry vlan-id=$VlanId;
+}
+# NOT /interface/wifiwave2 #
+:local VlanMode [ $EitherOr ($UserInfo->"vlan-mode") ($Template->"vlan-mode") ];
+:if ([ :len $VlanMode] > 0) do={
+  /caps-man/access-list/set $Entry vlan-mode=$VlanMode;
+  /interface/wifiwave2/access-list/set $Entry vlan-mode=$VlanMode;
+}
+# NOT /interface/wifiwave2 #
+
+:delay 2s;
+/caps-man/access-list/set $Entry action=accept;
+/interface/wifiwave2/access-list/set $Entry action=accept;
diff --git a/hotspot-to-wpa.wifiwave2.rsc b/hotspot-to-wpa.wifiwave2.rsc
new file mode 100644
index 0000000..ea44a9d
--- /dev/null
+++ b/hotspot-to-wpa.wifiwave2.rsc
@@ -0,0 +1,86 @@
+#!rsc by RouterOS
+# RouterOS script: hotspot-to-wpa.wifiwave2
+# Copyright (c) 2019-2023 Christian Hesse <mail@eworm.de>
+# https://git.eworm.de/cgit/routeros-scripts/about/COPYING.md
+#
+# add private WPA passphrase after hotspot login
+# https://git.eworm.de/cgit/routeros-scripts/about/doc/hotspot-to-wpa.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:local 0 "hotspot-to-wpa.wifiwave2";
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:global EitherOr;
+:global LogPrintExit2;
+:global ParseKeyValueStore;
+:global ScriptLock;
+
+$ScriptLock $0;
+
+:local MacAddress $"mac-address";
+:local UserName $username;
+
+:if ([ :typeof $MacAddress ] = "nothing" || [ :typeof $UserName ] = "nothing") do={
+  $LogPrintExit2 error $0 ("This script is supposed to run from hotspot on login.") true;
+}
+
+:local Date [ /system/clock/get date ];
+:local UserVal ({});
+:if ([ :len [ /ip/hotspot/user/find where name=$UserName ] ] > 0) do={
+  :set UserVal [ /ip/hotspot/user/get [ find where name=$UserName ] ];
+}
+:local UserInfo [ $ParseKeyValueStore ($UserVal->"comment") ];
+:local Hotspot [ /ip/hotspot/host/get [ find where mac-address=$MacAddress authorized ] server ];
+
+:if ([ :len [ /interface/wifiwave2/access-list/find where comment="--- hotspot-to-wpa above ---" disabled ] ] = 0) do={
+  /interface/wifiwave2/access-list/add comment="--- hotspot-to-wpa above ---" disabled=yes;
+  $LogPrintExit2 warning $0 ("Added disabled access-list entry with comment '--- hotspot-to-wpa above ---'.") false;
+}
+:local PlaceBefore ([ /interface/wifiwave2/access-list/find where comment="--- hotspot-to-wpa above ---" disabled ]->0);
+
+:if ([ :len [ /interface/wifiwave2/access-list/find where \
+    comment=("hotspot-to-wpa template " . $Hotspot) disabled ] ] = 0) do={
+  /interface/wifiwave2/access-list/add comment=("hotspot-to-wpa template " . $Hotspot) disabled=yes place-before=$PlaceBefore;
+  $LogPrintExit2 warning $0 ("Added template in access-list for hotspot '" . $Hotspot . "'.") false;
+}
+:local Template [ /interface/wifiwave2/access-list/get ([ find where \
+    comment=("hotspot-to-wpa template " . $Hotspot) disabled ]->0) ];
+
+:if ($Template->"action" = "reject") do={
+  $LogPrintExit2 info $0 ("Ignoring login for hotspot '" . $Hotspot . "'.") true;
+}
+
+# allow login page to load
+:delay 1s;
+
+$LogPrintExit2 info $0 ("Adding/updating access-list entry for mac address " . $MacAddress . \
+  " (user " . $UserName . ").") false;
+/interface/wifiwave2/access-list/remove [ find where mac-address=$MacAddress comment~"^hotspot-to-wpa: " ];
+/interface/wifiwave2/access-list/add passphrase=($UserVal->"password") ssid-regexp="-wpa\$" \
+    mac-address=$MacAddress comment=("hotspot-to-wpa: " . $UserName . ", " . $MacAddress . ", " . $Date) \
+    action=reject place-before=$PlaceBefore;
+
+:local Entry [ /interface/wifiwave2/access-list/find where mac-address=$MacAddress \
+    comment=("hotspot-to-wpa: " . $UserName . ", " . $MacAddress . ", " . $Date) ];
+:set ($Template->"private-passphrase") ($Template->"passphrase");
+:local PrivatePassphrase [ $EitherOr ($UserInfo->"private-passphrase") ($Template->"private-passphrase") ];
+:if ([ :len $PrivatePassphrase ] > 0) do={
+  :if ($PrivatePassphrase = "ignore") do={
+    /interface/wifiwave2/access-list/set $Entry !passphrase;
+  } else={
+    /interface/wifiwave2/access-list/set $Entry passphrase=$PrivatePassphrase;
+  }
+}
+:local SsidRegexp [ $EitherOr ($UserInfo->"ssid-regexp") ($Template->"ssid-regexp") ];
+:if ([ :len $SsidRegexp ] > 0) do={
+  /interface/wifiwave2/access-list/set $Entry ssid-regexp=$SsidRegexp;
+}
+:local VlanId [ $EitherOr ($UserInfo->"vlan-id") ($Template->"vlan-id") ];
+:if ([ :len $VlanId ] > 0) do={
+  /interface/wifiwave2/access-list/set $Entry vlan-id=$VlanId;
+}
+
+:delay 2s;
+/interface/wifiwave2/access-list/set $Entry action=accept;
-- 
cgit v1.2.3-54-g00ecf